Saturday, 21 September, 2019

Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking

Security Vulnerability in Video Conferencing App Zoom Allows Websites to Hack Into your Mac’s Camera Apple quietly updates Macs to remove Zoom webcam exploit
Cecil Davis | 11 July, 2019, 10:58

The update also allows users to manually uninstall Zoom.

"Additionally, if you have ever installed the Zoom client and then uninstalled it, you still have a local host web server on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage".

The flaw only affects computers running Apple's MacOS, because Windows computers manage connections in a different way, the report says.

'Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client, ' Zoom says.

In a more detailed public statement, Zoom said admins and users will be able to turn off video if they configure their client video settings, and that preferences from their first Zoom meeting will be saved once they apply its July update. To set up a conference meeting, users must send a web link to the participants to click and participate. In addition, the security researcher found that this same security issue made it possible for any Web page to DOS a Mac user by having that user repeatedly join an invalid call. Zoom was informed of the exploit but said that it did not plan to remove the feature because it was a "legitimate solution" that other service providers have used as well.

Vikings don’t add any new players in 2019 National Football League supplemental draft
It remains to be seen if there's pro bowl level talent that will come out of this year's class, but it's always a possibility. What this means is in order to select one of the players, a team must forfeit a draft pick for the next upcoming draft.

But now, TechCrunch reports that Apple chose to step in regardless, launching a silent update for Macs that removes Zoom's web server functionality altogether.

"We appreciate the hard work of the security researcher in identifying security concerns on our platform".

This gave attackers the opportunity to put malicious code on websites that connect to the hidden web server (e.g. the Outlook web app). Security best practices generally recommend public disclosure of major threats or vulnerabilities within a 90-day period, and the blog post suggested the company had not acted in a timely manner to protect its customers. Its underhanded and breaches trust boundaries.

"This is a good example of why you should never overlook physical security", said Lamar Bailey, Senior Director of Security at Tripwire.